Secure Renegotiation in PANOS 9x?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Secure Renegotiation in PANOS 9x?

L0 Member

I'm seeing some posts stating that Secure Renegotiation is not supported on the Palo Alto platform. Is this still true for the latest release, v9.x? If so, how is it enabled? 

1 accepted solution

Accepted Solutions

Hi @richardhicks 

 

At least on a global protect portal website secure renegotiation is still not supported ... so I assume this also applies to inbound decryption.

 

@BPry 

What do you think when TLS1.3 support will be added? I would saysomewhere in 2021 😛 (with PAN-OS 10?)

View solution in original post

10 REPLIES 10

Cyber Elite
Cyber Elite

@richardhicks,

I'm fairly certain that TLS Renegotiation was fixed in an update to 6.0, so it's been available for a while. Regardless renegotiation is dying anyways; TLS 1.3 removes it completely. 

Good to hear. So how to enable it? I'm certainly glad that TLS 1.3 eliminates it, but my customer has TLS 1.2 at the moment and need to elminate this audit finding. 🙂

Hi @richardhicks 

 

At least on a global protect portal website secure renegotiation is still not supported ... so I assume this also applies to inbound decryption.

 

@BPry 

What do you think when TLS1.3 support will be added? I would saysomewhere in 2021 😛 (with PAN-OS 10?)

@Remo,

Last I heard it was still being targeted for 9.1**, but it wouldn't suprise me at all of this got pushed back to 10*. There's some really interesting papers you can find that speak in detail about the additional issues with TLS 1.3 and attempting to intercept that communication in a passive format. 

 

 

*version names referenced are simply picked from historical release information.

**Inside Baseball (IE: Roadmap) discussions are strictly confidential and enforced through an NDA. The information presented in this post is non-official information and was not directly supplied by Palo Alto Networks or its employees. 

Hi @Remo @BPry @richardhicks 

Are there any current versions of PAN-OS that support secure renegotiation?
Inbound decryption SERVER-INITIATED Secure Renegotiation IS NOT supported.
Secure Renegotiatio---->Not supported ACTION NEEDED (more info)
Secure Client-Initiated Renegotiation---- >No

From palo alto side can to possible to configure support secure renegotiation

if it is  feature request then can you please provide me FR number 

 

Thanks 

 

L0 Member

Is finally secure renegotiation (in inbound decryption) supported in the 10.1 or 11.0 firmware?

It seems is a feature that has been missing for too long.

 

Thanks

Community Team Member

Hi @Ghidini ,

 

There are actually 2 existing FRs for this feature:

FR ID: 8112 (support for secure renegotiation / inbound SSL decrypt and GlobalProtect )

FR ID: 18516 (Support for RFC 5746 )

 

Please reach out to your local SE and you can have your vote added to them.

 

Kind regards,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

10.2.5 and SSLLabs result for GlobalProtect portal went from A- to A+ 🎉

It requires removing weak ciphers from CLI though.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you,

currently we are on 10.1.10 release.

So, to obtain an A+ we must upgrade exactly to 10.2.5 release or we need only to remove weak ciphers by CLI?

Which is the real solution?

 

Thank you for your support,

Daniel

Cyber Elite
Cyber Elite

You need to upgrade PANOS. Removing weak ciphers gives only A- 

To get A+ you need to upgrade to PANOS that supports renegotiation.

 

10.2.5

PAN-184630 - Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed...

 

You need to review 10.1.x release notes to see if renegotiation is fixed in any of it's versions.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 15641 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!